CA2762615A1 - Vehicle device, ad hoc network and method for a road toll system - Google Patents
Vehicle device, ad hoc network and method for a road toll system Download PDFInfo
- Publication number
- CA2762615A1 CA2762615A1 CA 2762615 CA2762615A CA2762615A1 CA 2762615 A1 CA2762615 A1 CA 2762615A1 CA 2762615 CA2762615 CA 2762615 CA 2762615 A CA2762615 A CA 2762615A CA 2762615 A1 CA2762615 A1 CA 2762615A1
- Authority
- CA
- Canada
- Prior art keywords
- vehicle device
- location data
- location
- vehicle
- trusted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
- 238000000034 method Methods 0.000 title claims abstract description 14
- 238000012545 processing Methods 0.000 claims abstract description 6
- 238000001514 detection method Methods 0.000 claims abstract description 4
- 239000003981 vehicle Substances 0.000 description 77
- 238000012544 monitoring process Methods 0.000 description 7
- 230000008014 freezing Effects 0.000 description 5
- 238000007710 freezing Methods 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 3
- 230000007257 malfunction Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 241000497429 Obus Species 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 238000009825 accumulation Methods 0.000 description 1
- 230000002547 anomalous effect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000002427 irreversible effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 230000007958 sleep Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
- G06Q50/40—Business processes related to the transportation industry
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07B—TICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
- G07B15/00—Arrangements or apparatus for collecting fares, tolls or entrance fees at one or more control points
- G07B15/06—Arrangements for road pricing or congestion charging of vehicles or vehicle users, e.g. automatic toll systems
- G07B15/063—Arrangements for road pricing or congestion charging of vehicles or vehicle users, e.g. automatic toll systems using wireless information transmission between the vehicle and a fixed station
Landscapes
- Business, Economics & Management (AREA)
- Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Tourism & Hospitality (AREA)
- General Health & Medical Sciences (AREA)
- Strategic Management (AREA)
- Economics (AREA)
- Finance (AREA)
- Human Resources & Organizations (AREA)
- Marketing (AREA)
- Primary Health Care (AREA)
- Health & Medical Sciences (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Business, Economics & Management (AREA)
- Theoretical Computer Science (AREA)
- Devices For Checking Fares Or Tickets At Control Points (AREA)
- Mobile Radio Communication Systems (AREA)
- Operations Research (AREA)
Abstract
The invention pertains to a vehicle device, a network, and a method for a road toll system, with a satellite navigation receiver for continuously generating location data for a processing and transmitting/receiving unit of a vehicle device and a separate trusted-element processor for logging a time segment of the generated location data and for cryptographically signing said time segment, wherein the trusted-element processor starts said logging upon the detection of a predefined time or a predefined location of the vehicle device and carries out this logging for a predefined time segment.
Description
VEHICLE DEVICE, AD HOC NETWORK AND METHOD FOR A ROAD TOLL SYSTEM, The present invention pertains to a vehicle device for a road toll system that is also re-ferred to as an "onboard unit" or OBU, with a satellite navigation receiver for continuously gen-erating location data for a processing and transmitting/receiving unit of the vehicle device and a separate trusted-element processor for logging a time segment of the generated location data and for cryptographically signing said time segment. The invention furthermore pertains to an ad hoc network of at least two such vehicle devices, as well as to a method for logging location data of a location-recording vehicle device of a road toll system with several vehicle devices that can ex-change location data in a wireless fashion.
EP 2 017 790 A2 describes the utilization of a trusted-element for signing the location recordings transmitted by an OBU to a map-matching proxy. In this case, the trusted-element also serves for encrypting the interface between OBU and map-matching proxy.
"Secure monitoring" concepts that are based on a logging and segmental signing ("real-time freezing") of the location recordings of the vehicle devices of the road toll system are used for monitoring and controlling the proper functioning of interoperable road toll systems such as the new European Electronic Toll Service (EETS). The signing is realized with trusted-element processors that contain a cryptographic signature ("trusted element certificate") of the controller such as, e.g., a road operator, an agency, etc. ("certificate issuer"), and therefore are trusted by said controller. Details on the secure monitoring or secure freezing concept can be found, for example, in the publications "Security aspects of the 1,11 EETS," Expert Group 12, Final report V1.0, April 5, 2007; "Electronic fee collection - Application interface definition for autonomous systems - Part 1: Changing," ISO Technical Specification 17575-1, June 15, 2010; and "An ex-ample of a view on EETS trust and privacy in GNSS-based toll systems," Vis J, Report Ministry of Transport, Public Works and Water Management of The Netherlands, December 15, 2009.
In the known systems, all location data accumulating in the vehicle device is logged and segmentally signed in a continuous fashion ("freezed" [sic]); subsequently, the signed time seg-ments are read out with an external control device for control purposes. This is associated with the accumulation of a large volume of data and requires a correspondingly large storage space for storing the signed data on the one hand, and separate control devices for reading out the signed data on the other hand.
The invention aims to eliminate the disadvantages of the prior art and to develop an im-proved secure-monitoring solution for interoperable road toll systems.
According to a first aspect of the invention, this objective is attained with a vehicle device of the initially described type which is characterized in that the trusted-element processor is configured to start said logging upon the detection of a predefined time or a predefined location of the vehicle device and to carry out this logging for a predefined time segment.
In this way, the vehicle device is used for monitoring itself: the thusly programmed trust-ed-element processor acts similar to a computer virus that at a predefined time or at a predefined location collects location data in the vehicle device and makes this location data available for control purposes for a limited time. The aforementioned functionality of the trusted-element pro-cessor "sleeps" until it is used and then carries out an individual segmental logging. It therefore is no longer necessary to continuously log, sign, and store ("freeze") all location data, and a sepa-rate control device for triggering the monitoring process can also be eliminated.
It goes without saying that the predefined location being detected does not necessarily have to be a point, but rather may also be extended, such as, e.g., a district, a specific road, etc.
According to a first variation of the invention, the trusted-element processor detects the prede-fined location in the location data of its own vehicle device such that the effort is minimized.
A particularly advantageous embodiment of the invention is characterized in that the trusted-element processor detects the predefined location in external location data that it receives from proximate vehicle devices via a wireless network. This represents a qualitative leap in the security of the monitoring process: the location data of other vehicle devices is not dependent on possible manipulations or malfunctions of the controlled vehicle device; the use of external loca-tion data as starting criterion for the secure freezing of the location data therefore enables the controller or certificate issuer to control the proper functioning of a vehicle device in a highly secure fashion. The aforementioned proximate vehicle devices do not necessarily have to be car-ried in vehicles; they may also be infrastructure-based and stationary.
The wireless network preferably is an ad hoc network, particularly a vehicular ad hoc network (VANET) that preferably operates in accordance with the WAVE (wireless access in vehicular environments) standard or the WLAN (wireless local area network) standard. Such networks can be formed spontaneously among a group of proximate vehicle devices that are lo-cated within mutual transmission/reception range.
It is particularly advantageous that the trusted-element processor receives and matches the external location data of several proximate vehicle devices in order to detect the predefined loca-tion in the matched external location data.
In order to meet confidentiality requirements, the trusted-element processor may, accord-ing to another preferred characteristic, retrieve the external location data of the proximate vehicle devices anonymously such as, e.g., under a randomly selected (anonymous) network sender iden-tification, a MAC address in the ad hoc network-that cannot be attributed without additional information-etc.
EP 2 017 790 A2 describes the utilization of a trusted-element for signing the location recordings transmitted by an OBU to a map-matching proxy. In this case, the trusted-element also serves for encrypting the interface between OBU and map-matching proxy.
"Secure monitoring" concepts that are based on a logging and segmental signing ("real-time freezing") of the location recordings of the vehicle devices of the road toll system are used for monitoring and controlling the proper functioning of interoperable road toll systems such as the new European Electronic Toll Service (EETS). The signing is realized with trusted-element processors that contain a cryptographic signature ("trusted element certificate") of the controller such as, e.g., a road operator, an agency, etc. ("certificate issuer"), and therefore are trusted by said controller. Details on the secure monitoring or secure freezing concept can be found, for example, in the publications "Security aspects of the 1,11 EETS," Expert Group 12, Final report V1.0, April 5, 2007; "Electronic fee collection - Application interface definition for autonomous systems - Part 1: Changing," ISO Technical Specification 17575-1, June 15, 2010; and "An ex-ample of a view on EETS trust and privacy in GNSS-based toll systems," Vis J, Report Ministry of Transport, Public Works and Water Management of The Netherlands, December 15, 2009.
In the known systems, all location data accumulating in the vehicle device is logged and segmentally signed in a continuous fashion ("freezed" [sic]); subsequently, the signed time seg-ments are read out with an external control device for control purposes. This is associated with the accumulation of a large volume of data and requires a correspondingly large storage space for storing the signed data on the one hand, and separate control devices for reading out the signed data on the other hand.
The invention aims to eliminate the disadvantages of the prior art and to develop an im-proved secure-monitoring solution for interoperable road toll systems.
According to a first aspect of the invention, this objective is attained with a vehicle device of the initially described type which is characterized in that the trusted-element processor is configured to start said logging upon the detection of a predefined time or a predefined location of the vehicle device and to carry out this logging for a predefined time segment.
In this way, the vehicle device is used for monitoring itself: the thusly programmed trust-ed-element processor acts similar to a computer virus that at a predefined time or at a predefined location collects location data in the vehicle device and makes this location data available for control purposes for a limited time. The aforementioned functionality of the trusted-element pro-cessor "sleeps" until it is used and then carries out an individual segmental logging. It therefore is no longer necessary to continuously log, sign, and store ("freeze") all location data, and a sepa-rate control device for triggering the monitoring process can also be eliminated.
It goes without saying that the predefined location being detected does not necessarily have to be a point, but rather may also be extended, such as, e.g., a district, a specific road, etc.
According to a first variation of the invention, the trusted-element processor detects the prede-fined location in the location data of its own vehicle device such that the effort is minimized.
A particularly advantageous embodiment of the invention is characterized in that the trusted-element processor detects the predefined location in external location data that it receives from proximate vehicle devices via a wireless network. This represents a qualitative leap in the security of the monitoring process: the location data of other vehicle devices is not dependent on possible manipulations or malfunctions of the controlled vehicle device; the use of external loca-tion data as starting criterion for the secure freezing of the location data therefore enables the controller or certificate issuer to control the proper functioning of a vehicle device in a highly secure fashion. The aforementioned proximate vehicle devices do not necessarily have to be car-ried in vehicles; they may also be infrastructure-based and stationary.
The wireless network preferably is an ad hoc network, particularly a vehicular ad hoc network (VANET) that preferably operates in accordance with the WAVE (wireless access in vehicular environments) standard or the WLAN (wireless local area network) standard. Such networks can be formed spontaneously among a group of proximate vehicle devices that are lo-cated within mutual transmission/reception range.
It is particularly advantageous that the trusted-element processor receives and matches the external location data of several proximate vehicle devices in order to detect the predefined loca-tion in the matched external location data.
In order to meet confidentiality requirements, the trusted-element processor may, accord-ing to another preferred characteristic, retrieve the external location data of the proximate vehicle devices anonymously such as, e.g., under a randomly selected (anonymous) network sender iden-tification, a MAC address in the ad hoc network-that cannot be attributed without additional information-etc.
In order to improve the control security, the trusted-element processor may retrieve the external location data by exchanging a key with temporally and/or locally limited validity and take into consideration only the external location data received under a valid key. This makes it possible to verify the timeliness of the location data used as starting criterion and/or its proximity area; in a highly mobile environment such as a VANET, this makes it possible to improve the accuracy in locating the logged vehicle device.
In another variation of the invention, the trusted-element processor can send the signed time segment to a control center of the road toll system by means of the transmitting/receiving unit of the vehicle device. Alternatively, the trusted-element processor may make the signed time segment available for retrieval via an interface of the vehicle device.
According to a second aspect, the invention also proposes an ad hoc network according to the characteristics of Claim 10 of at least two vehicle devices of the type in which data of proxi-mate vehicle devices is used as starting criterion for secure freezing.
According to a third aspect, the invention furthermore proposes a method for logging lo-cation data of a location-recording vehicle device of a road toll system with several vehicle de-vices that can exchange location data in a wireless fashion, wherein said method comprises the following steps in a first vehicle device:
receiving location data of a second vehicle device, detecting a predefined location in the received location data of the second vehicle device, starting the logging of a time segment of the location data of the first vehicle device, and signing the logged time segment with a cryptographic signature.
The detecting, logging and signing preferably take place in a trusted-element processor of the first vehicle device.
If the logging of its own location data is started in a time-controlled fashion, the location data of the other vehicle devices can be used as additional validation data in that it is "also fro-zen" during the secure freezing of its own location data. Accordingly, the invention also proposes an alternative variation of a method for logging location data of a location-recording vehicle de-vice of a road toll system with several vehicle devices that can exchange location data in a wire-less fashion, wherein this alternative variation of the method comprises the following steps in a first vehicle device:
detecting a predefined time, starting the logging of a time segment of the location data of the first vehicle device and receiving location data of a second vehicle device, and signing the logged time segment and the received location data with a cryptographic sig-nature.
In another variation of the invention, the trusted-element processor can send the signed time segment to a control center of the road toll system by means of the transmitting/receiving unit of the vehicle device. Alternatively, the trusted-element processor may make the signed time segment available for retrieval via an interface of the vehicle device.
According to a second aspect, the invention also proposes an ad hoc network according to the characteristics of Claim 10 of at least two vehicle devices of the type in which data of proxi-mate vehicle devices is used as starting criterion for secure freezing.
According to a third aspect, the invention furthermore proposes a method for logging lo-cation data of a location-recording vehicle device of a road toll system with several vehicle de-vices that can exchange location data in a wireless fashion, wherein said method comprises the following steps in a first vehicle device:
receiving location data of a second vehicle device, detecting a predefined location in the received location data of the second vehicle device, starting the logging of a time segment of the location data of the first vehicle device, and signing the logged time segment with a cryptographic signature.
The detecting, logging and signing preferably take place in a trusted-element processor of the first vehicle device.
If the logging of its own location data is started in a time-controlled fashion, the location data of the other vehicle devices can be used as additional validation data in that it is "also fro-zen" during the secure freezing of its own location data. Accordingly, the invention also proposes an alternative variation of a method for logging location data of a location-recording vehicle de-vice of a road toll system with several vehicle devices that can exchange location data in a wire-less fashion, wherein this alternative variation of the method comprises the following steps in a first vehicle device:
detecting a predefined time, starting the logging of a time segment of the location data of the first vehicle device and receiving location data of a second vehicle device, and signing the logged time segment and the received location data with a cryptographic sig-nature.
With respect to the advantages of the ad hoc network and the methods according to the invention, we refer to the preceding explanation of the inventive vehicle device.
The invention is described in greater detail below with reference to an exemplary embod-iment that is illustrated in the attached drawings. In these drawings, Figure 1 shows, namely in the form of a block diagram, a road toll system with vehicle devices in an inventive ad hoc network in which the method according to the invention is uti-lized; and Figure 2 shows, in the form of a block diagram, a detailed representation of one of the vehicle devices according to Figure 1.
Figure 1 shows an interoperable road toll system 1 that is composed of a plurality of vehi-cle devices (onboard units, OBUs, 01-06) 2, a plurality of different toll operator centers (toll chargers, TC1, TC2) 3 and a plurality of different billing centers (certificate issuers, CIi-Cl3) 4.
The vehicle devices 2 continuously determine their location p in a global navigation satellite sys-tem (global navigation satellite system, GNSS) 6 by means of satellite navigation receivers 5 (Figure 2) and generate a continuous stream (track) of location data (position fixes) p; thereof.
Each vehicle device 2 transmits its location data p; to a billing center 4 via an operator center 3 either in "raw form" or-preferably-processed into toll data in with the aid of a pro-cessing and transmitting/receiving unit 7, 8 (Figure 2). The processing segment 7 of the unit 7, 8 consists, for example, of a microprocessor and the transmitting/receiving segment 8 of the unit 7, 8 consists of a DSRC (dedicated short-range communication) transceiver, a WAVE
transceiver, a WLAN transceiver or preferably a PLMN (public land mobile network) transceiver.
The toll data in preferably consists of accumulated and location-anonymized toll transac-tion datasets that specify, for example, a number of kilometers traveled, a traveled segment of a road network, the time spent in a toll area (e.g., congestion charges), etc.
In order to generate the toll data in of the location data p;, the latter can be matched, for example, with previously stored toll maps ("map matching"). For this purpose, the vehicle devices 2 may also utilize, for exam-ple, an external map matching proxy (map matching proxy) 9, to which map matching tasks are outsourced under anonymized task identifications in order to preserve the confidentiality of the location data p; with respect to the operator and billing centers 3, 4. The toll data in may also be sent directly from the proxy 9 to the operator or billing centers 3, 4.
In order to monitor and control the functions of the vehicle devices 2 and also of the oper-ating centers 3, each vehicle device 2 is, according to Figure 2, equipped with a trusted-element processor 10 that contains a cryptographic signature (trusted key) tk. The signature tk is issued, e.g., by a contract issuer Cl, namely its owner of one of the billing centers 4, and is confidential for this contract issuer. In the context of the present description, the term "trusted-element pro-cessor" 10 refers to a processor element that is equipped with a cryptographic signature, access to which is cryptographically secured-preferably on the hardware level. Processor elements of this type meet strict security requirements such as, for example, those specified for single-chip pro-cessors integrated into SIM cards, credit cards, bank cards, etc.
The trusted-element processor 10 receives the stream of location data p; from the satellite navigation receiver 5 of the vehicle device 2 directly or via the processing segment 7 and is de-signed or programmed for recording the location data p; over a predefined time segment s such as, e.g., 1, 5 or 10 minutes at a time in response to specific requests or triggering (triggering). The recorded time segment s(pi) is subsequently signed by the trusted-element processor 10 with its cryptographic signature tk and therefore "frozen."
A data reduction of the time segment s may be carried out during the signing or even di-rectly before the signing, for example, by forming a hash value thereof. In the following descrip-tion, the term hash value refers to the application of a practically irreversible n:1 transformal function to an input dataset, i.e., a function that is reversible only in an (extremely) ambiguous fashion, such that the input dataset practically can no longer be deduced from a known hash val-ue. Examples of such hash functions are the checksum function, the modulo function, etc.
The signed logged time segment is designated as s*(p;, tk) in this case and subsequently sent to an operator center 3 by the transmitting/receiving unit 8 of the vehicle device 2 and from said operator center to a billing center 4. Based on the signature tk of the signed time segment s*, the billing center 4 can deduce the authentic origin of said time segment from a trusted-element processor 10 that enjoys its trust. The signed logged time segment s* may alternatively or addi-tionally be made available for retrieval via an interface 11 of the vehicle device 2.
The start of the time segment s, in which the location data p; is logged, may be triggered in the trusted-element processor 10 in different ways. According to a first embodiment, the vehi-cle device 2 contains a timer 12 in the form of a "watchdog" that triggers said logging at a prede-fined time T, i.e., it "wakes up" the trusted-element processor 10 for said functionality when the current time is t = T.
A second starting criterion consists of the trusted-element processor 10 detecting the oc-currence of a predefined location P in the location data p;. The predefined location P may consist of a selective location such as, e.g., a "virtual toll station" or of an extended location such as a parking area, a city center, a highway segment, etc. The logging over said predefined time seg-ment such as, e.g., over 10 minutes, starts as soon as the trusted-element processor 10 detects the location P in the location data p;, i.e., as soon as it determines that a location p in the location data p; lies within the boundaries or in the vicinity of the predefined location P. After the logging is completed, the signed logged time segment s* of the location data pi is available for its trans-mission and retrieval.
Another particularly secure starting criterion consists of the trusted-element processor 10 detecting the occurrence of the predefined location P in "external" location data p;' that it receives from other ("external") proximate vehicle devices 2 rather than in one's own location data p; of one's own vehicle device 2. This is described in greater detail below.
According to the illustrations in Figures 1 and 2, a group of vehicle devices 2 of the road toll system 1 may form a wireless network 13 by linking the vehicle devices to one another via wireless connections 14. The wireless connections 14 may be structured, for example, in accord-ance with the WAVE or WLAN standard and the wireless network 13 preferably consists of an ad hoc network or VANET. For this purpose, each vehicle device 2 features a suitable wireless transceiver 15. The wireless transceiver 15 and the transmitting/receiving unit 8 of the vehicle device 2 may optionally be identical.
Vehicle devices 2 can inform one another about their respective current location p or, e.g., continuously exchange their location data p; within the wireless network 13.
One such example is the exchange of VST messages (Vehicle Service Table Messages) within a VANET, in which the individual network nodes (vehicle devices 2) inform one another about their communication ca-pabilities and the services they offer, as well as their recent locations p or their recent location data p;, when a wireless connection 14 is established.
Alternatively, a trusted-element processor 10 of a vehicle device 2 may also retrieve loca-tions p or location data p;' of proximate vehicle devices 2 on its own at any time. The location data p;' of several proximate vehicle devices 2 received in a vehicle device 2 may also be matched with one another, e.g., with respect to consistency, in order to hide anomalous measured values or to average the received location data pi'.
Retrieval or transmission keys with temporally and/or locally limited validity may be used for the retrieval or reception of the external location data pi' of the proximate vehicle devices 2 such that only external location data p;' that is received within a predefined time period or origi-nates from a predefined local area around the vehicle device 2 is taken into consideration.
The trusted-element processor 10 is designed or programmed for detecting the appearance of the predefined location P in the external location data p;' of the proximate vehicle devices 2 and uses this as triggering criterion for starting the logging of the location recordings p; of its own vehicle device 2. Consequently, possible manipulations, corruptions or faults of its own lo-cation data p; are not taken into consideration in triggering the logging of the location data seg-ment s or s* so that the detection of a malfunction is simplified: if the location recordings p; con-tained in the frozen time segment s* do not (approximately) correspond to the predefined loca-tion P that was detected in the external location data p;', a manipulation or a malfunction of the vehicle device 2 has occurred.
It is also possible to combine the above-described embodiments: the timer 12 may cause the trusted-element processor 10 to retrieve the location data p;' of proximate vehicle devices 2 at a certain time t and to record and sign this external location data together with the time segment s of its own location data pi, i.e., s*(p;, tk, pi), such that the proximate locations pi' can be taken into consideration in the verification of one's own location recordings p;.
The proximate vehicle devices 2, the location data p;' of which is used, may under certain circumstances also be stationary, such as, e.g., positioned in a stationary infrastructure rather than carried along in vehicles. In this case, they do not have to continuously determine their location data p;' anew, but rather may determine this data once or contain this data in the form of data stored in a predefined fashion. Such "infrastructure-bound" vehicle devices 2 also fall under the term proximate vehicle devices 2 used herein.
The predefined time T, the predefined location P and/or the length of the time segment can be stored in the vehicle device 2 or the trusted-element processor 10 during the manufacture thereof or subsequently input via the interface 11, the transmitting/receiving unit 8 or the trans-ceiver 15.
The invention therefore is not limited to the embodiments shown, but rather also includes all variations and modifications that fall under the scope of the attached claims.
The invention is described in greater detail below with reference to an exemplary embod-iment that is illustrated in the attached drawings. In these drawings, Figure 1 shows, namely in the form of a block diagram, a road toll system with vehicle devices in an inventive ad hoc network in which the method according to the invention is uti-lized; and Figure 2 shows, in the form of a block diagram, a detailed representation of one of the vehicle devices according to Figure 1.
Figure 1 shows an interoperable road toll system 1 that is composed of a plurality of vehi-cle devices (onboard units, OBUs, 01-06) 2, a plurality of different toll operator centers (toll chargers, TC1, TC2) 3 and a plurality of different billing centers (certificate issuers, CIi-Cl3) 4.
The vehicle devices 2 continuously determine their location p in a global navigation satellite sys-tem (global navigation satellite system, GNSS) 6 by means of satellite navigation receivers 5 (Figure 2) and generate a continuous stream (track) of location data (position fixes) p; thereof.
Each vehicle device 2 transmits its location data p; to a billing center 4 via an operator center 3 either in "raw form" or-preferably-processed into toll data in with the aid of a pro-cessing and transmitting/receiving unit 7, 8 (Figure 2). The processing segment 7 of the unit 7, 8 consists, for example, of a microprocessor and the transmitting/receiving segment 8 of the unit 7, 8 consists of a DSRC (dedicated short-range communication) transceiver, a WAVE
transceiver, a WLAN transceiver or preferably a PLMN (public land mobile network) transceiver.
The toll data in preferably consists of accumulated and location-anonymized toll transac-tion datasets that specify, for example, a number of kilometers traveled, a traveled segment of a road network, the time spent in a toll area (e.g., congestion charges), etc.
In order to generate the toll data in of the location data p;, the latter can be matched, for example, with previously stored toll maps ("map matching"). For this purpose, the vehicle devices 2 may also utilize, for exam-ple, an external map matching proxy (map matching proxy) 9, to which map matching tasks are outsourced under anonymized task identifications in order to preserve the confidentiality of the location data p; with respect to the operator and billing centers 3, 4. The toll data in may also be sent directly from the proxy 9 to the operator or billing centers 3, 4.
In order to monitor and control the functions of the vehicle devices 2 and also of the oper-ating centers 3, each vehicle device 2 is, according to Figure 2, equipped with a trusted-element processor 10 that contains a cryptographic signature (trusted key) tk. The signature tk is issued, e.g., by a contract issuer Cl, namely its owner of one of the billing centers 4, and is confidential for this contract issuer. In the context of the present description, the term "trusted-element pro-cessor" 10 refers to a processor element that is equipped with a cryptographic signature, access to which is cryptographically secured-preferably on the hardware level. Processor elements of this type meet strict security requirements such as, for example, those specified for single-chip pro-cessors integrated into SIM cards, credit cards, bank cards, etc.
The trusted-element processor 10 receives the stream of location data p; from the satellite navigation receiver 5 of the vehicle device 2 directly or via the processing segment 7 and is de-signed or programmed for recording the location data p; over a predefined time segment s such as, e.g., 1, 5 or 10 minutes at a time in response to specific requests or triggering (triggering). The recorded time segment s(pi) is subsequently signed by the trusted-element processor 10 with its cryptographic signature tk and therefore "frozen."
A data reduction of the time segment s may be carried out during the signing or even di-rectly before the signing, for example, by forming a hash value thereof. In the following descrip-tion, the term hash value refers to the application of a practically irreversible n:1 transformal function to an input dataset, i.e., a function that is reversible only in an (extremely) ambiguous fashion, such that the input dataset practically can no longer be deduced from a known hash val-ue. Examples of such hash functions are the checksum function, the modulo function, etc.
The signed logged time segment is designated as s*(p;, tk) in this case and subsequently sent to an operator center 3 by the transmitting/receiving unit 8 of the vehicle device 2 and from said operator center to a billing center 4. Based on the signature tk of the signed time segment s*, the billing center 4 can deduce the authentic origin of said time segment from a trusted-element processor 10 that enjoys its trust. The signed logged time segment s* may alternatively or addi-tionally be made available for retrieval via an interface 11 of the vehicle device 2.
The start of the time segment s, in which the location data p; is logged, may be triggered in the trusted-element processor 10 in different ways. According to a first embodiment, the vehi-cle device 2 contains a timer 12 in the form of a "watchdog" that triggers said logging at a prede-fined time T, i.e., it "wakes up" the trusted-element processor 10 for said functionality when the current time is t = T.
A second starting criterion consists of the trusted-element processor 10 detecting the oc-currence of a predefined location P in the location data p;. The predefined location P may consist of a selective location such as, e.g., a "virtual toll station" or of an extended location such as a parking area, a city center, a highway segment, etc. The logging over said predefined time seg-ment such as, e.g., over 10 minutes, starts as soon as the trusted-element processor 10 detects the location P in the location data p;, i.e., as soon as it determines that a location p in the location data p; lies within the boundaries or in the vicinity of the predefined location P. After the logging is completed, the signed logged time segment s* of the location data pi is available for its trans-mission and retrieval.
Another particularly secure starting criterion consists of the trusted-element processor 10 detecting the occurrence of the predefined location P in "external" location data p;' that it receives from other ("external") proximate vehicle devices 2 rather than in one's own location data p; of one's own vehicle device 2. This is described in greater detail below.
According to the illustrations in Figures 1 and 2, a group of vehicle devices 2 of the road toll system 1 may form a wireless network 13 by linking the vehicle devices to one another via wireless connections 14. The wireless connections 14 may be structured, for example, in accord-ance with the WAVE or WLAN standard and the wireless network 13 preferably consists of an ad hoc network or VANET. For this purpose, each vehicle device 2 features a suitable wireless transceiver 15. The wireless transceiver 15 and the transmitting/receiving unit 8 of the vehicle device 2 may optionally be identical.
Vehicle devices 2 can inform one another about their respective current location p or, e.g., continuously exchange their location data p; within the wireless network 13.
One such example is the exchange of VST messages (Vehicle Service Table Messages) within a VANET, in which the individual network nodes (vehicle devices 2) inform one another about their communication ca-pabilities and the services they offer, as well as their recent locations p or their recent location data p;, when a wireless connection 14 is established.
Alternatively, a trusted-element processor 10 of a vehicle device 2 may also retrieve loca-tions p or location data p;' of proximate vehicle devices 2 on its own at any time. The location data p;' of several proximate vehicle devices 2 received in a vehicle device 2 may also be matched with one another, e.g., with respect to consistency, in order to hide anomalous measured values or to average the received location data pi'.
Retrieval or transmission keys with temporally and/or locally limited validity may be used for the retrieval or reception of the external location data pi' of the proximate vehicle devices 2 such that only external location data p;' that is received within a predefined time period or origi-nates from a predefined local area around the vehicle device 2 is taken into consideration.
The trusted-element processor 10 is designed or programmed for detecting the appearance of the predefined location P in the external location data p;' of the proximate vehicle devices 2 and uses this as triggering criterion for starting the logging of the location recordings p; of its own vehicle device 2. Consequently, possible manipulations, corruptions or faults of its own lo-cation data p; are not taken into consideration in triggering the logging of the location data seg-ment s or s* so that the detection of a malfunction is simplified: if the location recordings p; con-tained in the frozen time segment s* do not (approximately) correspond to the predefined loca-tion P that was detected in the external location data p;', a manipulation or a malfunction of the vehicle device 2 has occurred.
It is also possible to combine the above-described embodiments: the timer 12 may cause the trusted-element processor 10 to retrieve the location data p;' of proximate vehicle devices 2 at a certain time t and to record and sign this external location data together with the time segment s of its own location data pi, i.e., s*(p;, tk, pi), such that the proximate locations pi' can be taken into consideration in the verification of one's own location recordings p;.
The proximate vehicle devices 2, the location data p;' of which is used, may under certain circumstances also be stationary, such as, e.g., positioned in a stationary infrastructure rather than carried along in vehicles. In this case, they do not have to continuously determine their location data p;' anew, but rather may determine this data once or contain this data in the form of data stored in a predefined fashion. Such "infrastructure-bound" vehicle devices 2 also fall under the term proximate vehicle devices 2 used herein.
The predefined time T, the predefined location P and/or the length of the time segment can be stored in the vehicle device 2 or the trusted-element processor 10 during the manufacture thereof or subsequently input via the interface 11, the transmitting/receiving unit 8 or the trans-ceiver 15.
The invention therefore is not limited to the embodiments shown, but rather also includes all variations and modifications that fall under the scope of the attached claims.
Claims (15)
1. A vehicle device for a road toll system, comprising a satellite navigation receiver for continuously generating location data for a processing and transmitting/receiving unit of the vehicle device and a separate trusted-element processor for logging a time segment of the generated location data and for cryptographically signing said time segment, wherein the trusted-element processor is configured to start said logging upon detection of a predefined time or a predefined location of the vehicle device and to carry out this logging for a predefined time segment.
2. The vehicle device according to Claim 1, wherein the trusted-element processor detects the predefined location in its own generated location data.
3. The vehicle device according to Claim 1, wherein the trusted-element processor detects the predefined location in external location data that it receives from proximate vehicle devices via a wireless network.
4. The vehicle device according to Claim 3, wherein the wireless network consists of an ad hoc network.
5. The vehicle device according to Claim 4, wherein the ad hoc network operates in accordance with the WAVE or WLAN standard.
6. The vehicle device according to Claim 3, wherein the trusted-element processor receives and matches the external location data of several proximate vehicle devices in order to detect the predefined location in the matched external location data.
7. The vehicle device according to Claim 3, wherein the trusted-element processor anonymously retrieves the external location data.
8. The vehicle device according to Claim 3, wherein the trusted-element processor retrieves the external location data by exchanging a key having temporally and/or locally limited validity and takes into consideration only external location data that is received under a valid key.
9. The vehicle device according to Claim 1, wherein the trusted-element processor sends the signed time segment to a control center of the road toll system by means of the trans-mitting/receiving unit of the vehicle device.
10. The vehicle device according to Claim 1, wherein the trusted-element processor makes the signed time segment available for retrieval via an interface of the vehicle device.
11. An ad hoc network of at least two vehicle devices according to Claim 3 that are connected to one another via their transmitting/receiving units, wherein at least one vehicle de-vice makes available location data to another vehicle device that detects a predefined location therein in order to start the logging of its own location data.
12. An ad hoc network of at least two vehicle devices according to Claim 6 that are connected to one another via their transmitting/receiving units, wherein at least one vehicle de-vice makes available location data to another vehicle device that detects a predefined location therein in order to start the logging of its own location data.
13. An ad hoc network of at least two vehicle devices according to Claim 8 that are connected to one another via their transmitting/receiving units, wherein at least one vehicle de-vice makes available location data to another vehicle device that detects a predefined location therein in order to start the logging of its own location data.
14. A method for logging location data of a location-recording vehicle device of a road toll system with several vehicle devices that can exchange location data in a wireless fash-ion, wherein said method comprises the following steps in a first vehicle device:
receiving location data of a second vehicle device, detecting a predefined location in the received location data of the second vehicle device, starting the logging of a time segment of the location data of the first vehicle device, and signing the logged time segment with a cryptographic signature.
receiving location data of a second vehicle device, detecting a predefined location in the received location data of the second vehicle device, starting the logging of a time segment of the location data of the first vehicle device, and signing the logged time segment with a cryptographic signature.
15. A method for logging location data of a location-recording vehicle device of a road toll system with several vehicle devices that can exchange location data in a wireless fash-ion, wherein said method comprises the following steps in a first vehicle device:
detecting a predefined time, starting the logging of a time segment of the location data of the first vehicle device and receiving location data of a second vehicle device, and signing the logged time segment and the received location data with a cryptographic sig-nature.
detecting a predefined time, starting the logging of a time segment of the location data of the first vehicle device and receiving location data of a second vehicle device, and signing the logged time segment and the received location data with a cryptographic sig-nature.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| EP20110450023 EP2490183B1 (en) | 2011-02-16 | 2011-02-16 | Vehicle device, ad-hoc network and method for a road toll system |
| EP11450023.4 | 2011-02-16 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CA2762615A1 true CA2762615A1 (en) | 2012-08-16 |
Family
ID=44168296
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA 2762615 Abandoned CA2762615A1 (en) | 2011-02-16 | 2011-12-21 | Vehicle device, ad hoc network and method for a road toll system |
Country Status (8)
| Country | Link |
|---|---|
| US (1) | US8818895B2 (en) |
| EP (1) | EP2490183B1 (en) |
| CA (1) | CA2762615A1 (en) |
| DK (1) | DK2490183T3 (en) |
| ES (1) | ES2425777T3 (en) |
| PL (1) | PL2490183T3 (en) |
| PT (1) | PT2490183E (en) |
| SI (1) | SI2490183T1 (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| ES2530870T3 (en) * | 2011-03-11 | 2015-03-06 | Telit Automotive Solutions Nv | Road toll system and procedure |
| EP3021288B1 (en) * | 2014-11-17 | 2022-10-19 | Kapsch TrafficCom AG | Method and apparatus for trusted recording in a road toll system |
| EP3188133B1 (en) * | 2015-12-30 | 2020-12-16 | Toll Collect GmbH | Position data processing device and toll system and method for operating a position data processing device and a road toll system |
| DE102020000635A1 (en) | 2020-01-30 | 2021-08-05 | Christoph Maget | Perfectly secure communication between participants in cellular networks |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5919239A (en) * | 1996-06-28 | 1999-07-06 | Fraker; William F. | Position and time-at-position logging system |
| US6393346B1 (en) * | 1998-01-27 | 2002-05-21 | Computracker Corporation | Method of monitoring vehicular mileage |
| DE10258653A1 (en) * | 2002-12-13 | 2003-09-11 | Daimler Chrysler Ag | Arrangement for calculation of tolls accrued by a vehicle travelling within a road network, whereby use of short-range vehicle to vehicle communications technology reduces the cost of an associated data network implementation |
| GB2451167A (en) * | 2007-07-16 | 2009-01-21 | Charles Graham Palmer | Separation of cost calculation means and payment services in a Position-Based Charging system. |
| DE102007035737A1 (en) * | 2007-07-30 | 2009-02-19 | Robert Bosch Gmbh | Method for checking a vehicle-transmitted position message of the vehicle and transceiver device for use in a vehicle |
| DE102007058163A1 (en) * | 2007-09-28 | 2009-04-23 | Continental Automotive Gmbh | Tachograph, toll-on-board unit, indicating instrument and system |
| US9002635B2 (en) * | 2009-01-14 | 2015-04-07 | Tomtom International B.V. | Navigation apparatus used-in vehicle |
| EP2330562B1 (en) * | 2009-12-02 | 2019-03-13 | Telit Automotive Solutions NV | Smart road-toll-system |
-
2011
- 2011-02-16 PL PL11450023T patent/PL2490183T3/en unknown
- 2011-02-16 DK DK11450023T patent/DK2490183T3/en active
- 2011-02-16 SI SI201130039T patent/SI2490183T1/en unknown
- 2011-02-16 EP EP20110450023 patent/EP2490183B1/en not_active Not-in-force
- 2011-02-16 PT PT114500234T patent/PT2490183E/en unknown
- 2011-02-16 ES ES11450023T patent/ES2425777T3/en active Active
- 2011-12-21 CA CA 2762615 patent/CA2762615A1/en not_active Abandoned
-
2012
- 2012-01-18 US US13/353,007 patent/US8818895B2/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| ES2425777T3 (en) | 2013-10-17 |
| EP2490183A1 (en) | 2012-08-22 |
| US20120209776A1 (en) | 2012-08-16 |
| SI2490183T1 (en) | 2013-07-31 |
| DK2490183T3 (en) | 2013-09-02 |
| PT2490183E (en) | 2013-08-23 |
| PL2490183T3 (en) | 2013-10-31 |
| US8818895B2 (en) | 2014-08-26 |
| EP2490183B1 (en) | 2013-06-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2861470C (en) | Method for checking toll transactions and components therefor | |
| US10621793B2 (en) | Location-based services | |
| US20090024458A1 (en) | Position-based Charging | |
| CA2739024C (en) | Method for collecting tolls for location usages | |
| KR20120116924A (en) | Vehicle access control services and platform | |
| CA2963589C (en) | Method and apparatus for trusted recording in a road toll system | |
| CN102132284B (en) | Verification of process integrity | |
| CN102510333A (en) | Authorization method and system | |
| WO2011073899A1 (en) | Data processing apparatus | |
| CN110149611A (en) | A kind of auth method, equipment and system | |
| US8818895B2 (en) | Vehicle device, ad hoc network and method for a road toll system | |
| CN108510357B (en) | Improved control method and device for shared bicycle intelligent lock framework | |
| US20130006726A1 (en) | Method for determining toll fees in a road toll system | |
| KR101047598B1 (en) | System and method for providing position information of vehicles using dsrc | |
| US8850198B2 (en) | Method for validating a road traffic control transaction | |
| WO2012131029A1 (en) | Vehicle usage verification system | |
| JP2008059544A (en) | Bicycle parking lot management system | |
| Pariyarath et al. | Efficient Privacy-Preserving Authentication using Blockchain for VANET | |
| US20210111866A1 (en) | System and method using a locally referenced blockchain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| EEER | Examination request |
Effective date: 20161115 |
|
| FZDE | Discontinued |
Effective date: 20181221 |